AEPD (Spain) - EXP202317887

Summary

Spain's Data Protection Agency (AEPD) fined digital identity and age-verification provider YOTI Ltd. €950,000 for violations of GDPR Articles 5, 7, and 9. The authority found that YOTI processed biometric facial recognition data without valid explicit consent, bundled separate processing purposes (identity verification and R&D algorithm improvement) into a single consent request, and failed to allow users to refuse research use without losing service access. YOTI also failed to implement adequate data retention limits, storing verification images for up to 28 days and retaining technical data without clear justification.

Full text

Help AEPD (Spain) - EXP202317887: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 07:58, 18 March 2026 view sourceMba (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators897 editsm Tag: Visual edit← Older edit Latest revision as of 08:36, 16 April 2026 view source Sfl (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators405 editsm Line 89: Line 89: The AEPD held that YOTI infringed [[Article 9 GDPR]], [[Article 7 GDPR]], and [[Article 5 GDPR|Article 5(1)(e) GDPR]].The AEPD held that YOTI infringed [[Article 9 GDPR]], [[Article 7 GDPR]], and [[Article 5 GDPR|Article 5(1)(e) GDPR]]. First, the AEPD found that YOTI processed biometric data used for facial recognition. The authority considered this data to be biometric data that uniquely identifies a natural person. The processing therefore fell within the prohibition established in [[Article 9 GDPR|Article 9(1) GDPR]]. YOTI relied on explicit consent as a legal basis under [[Article 9(2)(a) GDPR]]. However, the authority concluded that the YOTI had not obtained valid explicit consent for all processing purposes.First, the AEPD found that YOTI processed biometric data used for facial recognition. The authority considered this data to be biometric data that uniquely identifies a natural person. The processing therefore fell within the prohibition established in [[Article 9 GDPR|Article 9(1) GDPR]]. YOTI relied on explicit consent as a legal basis under [[Article 9 GDPR#2a|Article 9(2)(a) GDPR]]. However, the authority concluded that the YOTI had not obtained valid explicit consent for all processing purposes. The AEPD found that YOTI bundled several processing purposes into a single consent request. Users who wanted to use the identity-verification service also had to agree that their biometric data could be used for research and development activities. The authority considered these purposes to be separate. One purpose concerned the provision of the service requested by the user, while the other concerned YOTI’s internal improvement of algorithms. Because YOTI did not allow users to refuse the research and development processing without losing access to the service, the consent was not freely given and not sufficiently specific under [[Article 7 GDPR]].The AEPD found that YOTI bundled several processing purposes into a single consent request. Users who wanted to use the identity-verification service also had to agree that their biometric data could be used for research and development activities. The authority considered these purposes to be separate. One purpose concerned the provision of the service requested by the user, while the other concerned YOTI’s internal improvement of algorithms. Because YOTI did not allow users to refuse the research and development processing without losing access to the service, the consent was not freely given and not sufficiently specific under [[Article 7 GDPR]]. Latest revision as of 08:36, 16 April 2026 AEPD - EXP202317887 Authority: AEPD (Spain) Jurisdiction: Spain Relevant Law: Article 5(1)(e) GDPR Article 7 GDPR Article 9(1) GDPR Article 9(2)(a) GDPR Type: Investigation Outcome: Violation Found Started: 12.12.2023 Decided: Published: 12.03.2026 Fine: 950.000 EUR Parties: YOTI LTD. National Case Number/Name: EXP202317887 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Spanish Original Source: AEPD (in ES) Initial Contributor: RP The DPA fined a digital ID and age-verification provider €950,000 for unlawfully processing biometric data and not limiting data retention. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts On 12 December 2023, the Spanish Data Protection Agency (AEPD) started an ex officio investigation into YOTI Ltd., a company that provides digital identity and age-verification services for individuals and businesses. The AEPD considered the investigation necessary because YOTI operated a widely used digital identity platform with millions of users. YOTI provided various age verification methods, mostly offered as a software-as-a-service to business customers. In these cases, the customers acted as data controllers and YOTI as a processor. However, for its Digital ID App, YOTI acted as the controller. To use the app, a person created a verified account by uploading an identity document and a selfie. When sharing an age attribute with a service, the app normally sent only the minimum necessary information, such as confirmation that the user was above or below a given age, without sharing the full date of birth or document copy. YOTI stored these attributes in its UK data centres and deleted them after verification. Other verification methods included uploading an identification document for automated or optional manual checks, facial age estimation, phone number verification, credit card verification, and database checks. These methods involved processing various personal data such as document images, selfies, facial data, phone numbers, card details, and addresses. Manual verification could involve staff in YOTI’s India security centre remotely accessing data on UK servers, with retention of images up to 28 days. Facial age estimation used machine learning to estimate age from images, which were deleted after analysis. YOTI also collected technical information, including geolocation based on IP, timestamps, verification logs, and anonymised analytical data about devices and session performance. To reduce repeated verifications, YOTI created age tokens, storing verification results in cookies or user accounts, allowing reuse across websites or devices without repeating the full process. Regarding minors, YOTI stated that it processed only the minimum data needed to verify age, did not profile users, and retained most data only temporarily. Identity documents and selfies were kept up to 28 days if manual checks were required, while Digital ID App data and age tokens were stored as long as the account remained active or up to three years of inactivity. YOTI emphasised that its system was designed to protect children while confirming age efficiently and securely. Following the investigation, the AEPD opened disciplinary proceedings against YOTI. Holding The AEPD held that YOTI infringed Article 9 GDPR, Article 7 GDPR, and Article 5(1)(e) GDPR. First, the AEPD found that YOTI processed biometric data used for facial recognition. The authority considered this data to be biometric data that uniquely identifies a natural person. The processing therefore fell within the prohibition established in Article 9(1) GDPR. YOTI relied on explicit consent as a legal basis under Article 9(2)(a) GDPR. However, the authority concluded that the YOTI had not obtained valid explicit consent for all processing purposes. The AEPD found that YOTI bundled several processing purposes into a single consent request. Users who wanted to use the identity-verification service also had to agree that their biometric data could be used for research and development activities. The authority considered these purposes to be separate. One purpose concerned the provision of the service requested by the user, while the other concerned YOTI’s internal improvement of algorithms. Because YOTI did not allow users to refuse the research and development processing without losing access to the service, the consent was not freely given and not sufficiently specific under Article 7 GDPR. The AEPD also stressed that the processing involved sensitive biometric data and that the service could be used by minors from the age of 13. In this context, the AEPD considered that YOTI had to apply particularly strict standards when obtaining consent. The authority concluded that YOTI failed to provide a sufficiently granular consent mechanism and therefore c

Entities